Image credit: Stock

No utility is safe from the threat of cyber-attacks but all utilities, even in Africa, will benefit from sharing cybersecurity intelligence, writes AUTC Cybersecurity Work Group, South Africa member Matthew Taljaard and co-authors Billy Petzer and Terence Pillay.

The public utility sector, which is essential to an economy to
provide a service, is modernising its infrastructure to become more digitised. This is necessary for utilities to scale with the demand required by the economy it supports.

This article originally appeared in Issue 2 2018 of our print magazine. The digital version of the full magazine can be read online or downloaded free of charge.

Digitisation allows for more efficient operations in a utility such as remote monitoring and control of infrastructure. This, however, presents a risk of utility infrastructure being manipulated by unauthorised users through the manipulation of data. The loss of a utility could have severe risks for the economy that it supports and could even result in loss of life.

Arming the utility through cybersecurity measures is therefore required for the protection of utility infrastructure. Cybersecurity is the implementation of practices, processes and technologies to protect against cyber-attacks. Technological environments can be simply broken down into the Operational Technology (OT) environment and the Information Technology (IT) environment.

Slow responders at risk

In the utility landscape, the risk lies in the lagging defence against the ever-evolving cybersecurity threat. Cybersecurity techniques used in the OT environment, core business areas, are mainly adopted from IT security. Implementing IT security in the OT environment however does not imply a secured OT environment. This is due to many limitations in what can be done in the OT environment.

For example, in the utility sector, OT environments are limited in when patching can be done. IT security relies on having the latest patches to stay updated and guard against the latest vulnerabilities. OT however cannot patch at a consistent rate.

The risk of losing a critical OT system from a patch prevents OT system owners from updating unless the patch goes through some form of change control procedure. This is usually time consuming and so a patch is not applied unless it is deemed a critical patch. Utilities are therefore in a constant state of experimentation with IT security in the hope of identifying what is effective in protecting the OT network, without compromising the availability requirements of the OT systems.

Therefore, OT must handle security differently to IT. This creates pressure on utilities to find a solution with limited information available. Meanwhile, all utilities are experiencing the same problems to some degree. Now, more than ever, is when collaboration between utilities on experiences with cyber threats can provide dividends. A utility does not necessarily have to make a mistake to learn but rather can engage other utilities to share experiences.

A utility under siege

Utilities can benefit from published cyberattacks in their environment. A cyberattack such as the Ukraine incident in 2015 can provide valuable information on how cyber threats are propagating into the utility environment. In this incident, the Ukraine cyber-attack showed the dire impact that advanced persistent threats (APT) can have on OT networks.

The cyber-attacks witnessed in Ukraine in 2015 were not once off, but were repeated again in 2016. The lesson is that cyber-attackers are willing to try these attack vectors again if there is a possibility of success.

This is a valuable lesson as most utilities will have plenty of gaps to close but are not sure which risks should be prioritised. When a cyber-attack to a utility is published, the threat landscape can be updated and a utility can establish what gaps in their environment should be prioritised.

The value can be seen when these attacks are simulated in the utility’s own environment through training, and risks can be highlighted and mitigated. Utilities are recommended to engage with their peers to discuss risks. This can be done through established committees from governmental, local and even international forums.

However, utilities are reluctant to discuss risks relating to cybersecurity as sensitive information could unwittingly be leaked. This information could relate to critical infrastructure to a country and would require permission and vetting of the audience before matters can be discussed.

Combating the risk

In South Africa, the Cybercrimes and Cybersecurity Bill provides guidance on creating a structure to deal with cybersecurity. This structure can be used to share risks in a timely and secure manner. The bill refers to establishing a ‘Cybersecurity Hub’ , which can be used to:

1. Promote cybersecurity in the private sector.
2. Act as centralised contact between government and the private sector.
3. Enable private sector security incident response teams in the
private sector.
4. Enable response to cybersecurity incidents.

A cybersecurity hub will not only allow utilities to collaborate, but will also allow other areas of the cybersecurity sector to influence and assist utilities in combating cybersecurity threats and reducing their cyber risk.

Thus, continued development of infrastructure, stringent processes and digitising business data are strategic to growing and stabilising the economy. Digitisation of utilities is a necessary step for utilities to scale to the demand required for the economy it supports.
This, however, introduces risk of attacks of the cyber nature to the installed legacy utility infrastructure, which was out of its design scope. It is recommended that utilities look into establishing a cybersecurity hub where cyber related information can be shared to obtain methods on how to deal with cyber threats. The impact of these benefits reshapes how utilities address security issues within the OT environment. As a result, cyber risk can be reduced, to safeguard business availability in a digital era. ESI

This article originally appeared in Issue 2 2018 of our print magazine. The digital version of the full magazine can be read online or downloaded free of charge.